[wp-trac] Re: [WordPress Trac] #2775: Ability for all users to add
users of lesser cabable roles
WordPress Trac
wp-trac at lists.automattic.com
Fri Jun 9 15:49:29 GMT 2006
#2775: Ability for all users to add users of lesser cabable roles
----------------------------+-----------------------------------------------
Id: 2775 | Status: new
Component: Administration | Modified: Fri Jun 9 15:49:29 2006
Severity: enhancement | Milestone:
Priority: normal | Version: 2.1
Owner: doit-cu | Reporter: doit-cu
----------------------------+-----------------------------------------------
Comment (by doit-cu):
There we go (fingers /all/ crossed).
Ringmaster- I think what markjaquith is pointing out is that users with
the ability to edit the pluggin would be able to make it do nasty things,
so it would be a good idea to make the pluggin read only.
Markjaquith- It doesn't prevent anyone from deactivating it, the core
changes make it so that users with external_edit_users can't edit users
unless a pluggin makes it so. In essence, a user could go deactivate the
pluggin and take away everyone but admin's rights to edit users, but they
could not exploit a privilege escalation vulnerability.
--
Ticket URL: <http://trac.wordpress.org/ticket/2775>
WordPress Trac <http://wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list